2017 has been an exciting year for innovation in the insurance industry, and an important time for assessing the benefits and risks of technology and cybersecurity for insurers. Many of our clients are interested in regulatory and other developments impacting these issues. We have summarized below the discussions held at the recent NAIC meeting in Honolulu by the NAIC Cybersecurity Working Group and the NAIC Innovation and Technology Task Force, and expect that the issues addressed will continue to be important to our clients in 2017 and beyond.

NAIC Cybersecurity Working Group

The NAIC Cybersecurity Working Group met December 3 and received a report from the NAIC’s Government Relations office in Washington about recent Congressional moves to adopt a federal cybersecurity law that could potentially preempt state rules. The NAIC staff stated that in the wake of the Equifax and Uber data breaches both the House Financial Services Committee and Senate Commerce Committee were likely to consider bills which would expand federal oversight, and that those bills may override the provisions of the recently issued NAIC Insurance Data Security Model Act and the regulations of the New York Department of Financial Services, 11 N.Y.C.R.R. Part 500, which went into effect in September. In its recent Treasury Department report on federal regulation of insurance, the Trump Administration endorsed the adoption of the NAIC Model Act by all states within five years and stated that there would be no need for any superseding federal law if the states enacted the Model Act within that time frame. The Federal Reserve and Office of the Comptroller of the Currency do not appear to be strenuously advocating for a new federal cybersecurity law, so the Administration’s position may lessen the chances that state insurance cybersecurity laws will soon be preempted.

The Working Group heard from three vendors in the cybersecurity space: FICO which described its “enterprise security score” as a predictive analytic tool to measure an insurance company’s risk of being a target; Zeguro in terms of developing an online application for small to midsize entities to actively mitigate risks, and Coalition as to its combination of services to identify, manage and insure for cybersecurity risks.

The Working Group voted to disband and fold its activities into the NAIC Innovation and Technology Task Force, having accomplished its primary charge to draft the NAIC Model Insurance Data Security Act. The NAIC adopted the Model Act in October for consideration by member jurisdictions. The text of the Model Act can be found here.

NAIC Innovation and Technology Task Force

The NAIC Innovation and Technology Task Force met on December 4. The Big Data Working Group reported to the Task Force that it will survey state regulators on state laws prohibiting use of certain data and will be receiving comments through January 12 on how states should regulate the use of consumer data. Consumer advocate Bernie Birnbaum asked the Task Force to consider how algorithms could be used to discriminate against groups of insureds in connection with the antifraud efforts of insurers. As part of its 2018 activity the Working Group expects to consider optimal means for states to review complex statistical models and algorithms in setting property and casualty rates, and will be seeking to collaborate with the NAIC Casualty Actuarial and Statistical Task Force on a set of best practices for regulators to use in evaluating those models and algorithms.

The Task Force also heard presentations from three companies: Nexar as to how its vehicle to vehicle network can potentially streamline claims handling and reduce the chances that fraudulent claims will be paid; Next Insurance Co. which is seeking licensure nationwide to underwrite and service property/casualty coverages for smaller companies entirely on-line with automated certificates of insurance and additional insured endorsements; and DropIn which provides on-line claims adjustment services using a fleet of drones to assess property damage.

The Task Force considered the views of the AIA and IIABA organizations on the wisdom of states allowing “regulatory sandboxes.” The AIA has proposed a model law that would specifically authorize, but not require, regulators to waive or relax rules that supposedly hamper technological innovations as long as the regulators determined that consumer protections and solvency monitoring were not diminished. As an example the AIA representative stated that rules requiring detailed market withdrawal plans prevented insurers from testing new coverages which could not be easily discontinued even if test results showed the coverages were uneconomic. A copy of the AIA presentation can be found here and the text of its proposed model law can be found here.

The IIABA said it would oppose the proposals as vesting excessive discretion in regulators to the detriment of policyholders and producers.